# Microsoft Intune Integration

The integration between Microsoft Intune and Asset Panda Pro streamlines device and asset tracking and management. The integration supports the following types of actions:

* Retiring devices (removing them from the system while retaining historical records)
* Wiping data (without affecting Asset Panda Pro)
* Deleting devices (removing them from both Intune and Asset Panda)
* Remotely locking devices 

The integration ensures smooth data synchronization and accurate asset management across both platforms.

You must perform the following steps to integrate Microsoft Intune with Asset Panda Pro and streamline your asset management process:

1. **Enable Microsoft Intune Integration**: Connect your Microsoft Intune account to Asset Panda to fetch device data.
2. **Configure Asset Panda Integration**: Map the Intune device data fields within Asset Panda for accurate synchronization.
3. **Sync Devices and Data**: Sync your devices from Intune to Asset Panda, ensuring real-time updates and accurate tracking.

## Prerequisites

* Active Asset Panda subscription
* Microsoft Azure Active Directory (AAD) deployment within your organization
* Administrator access to both Microsoft Azure and Asset Panda platforms
* Required permissions to register applications, generate secrets, and grant API access in Azure
* Relevant collections and fields in Asset Panda Pro. If data is synced into a non-existent field, the integration may not be completed successfully. 

{% hint style="warning" %}
*It is strongly recommended that one Microsoft Intune field contain unique values that directly match a corresponding field in Asset Panda Pro.*\
\
\&#xNAN;*A common best practice is to use the **Serial Number** field as a unique match, assuming it’s already tracked and marked unique in Asset Panda. This prevents duplication by ensuring that synced devices update existing records instead of creating new ones.*
{% endhint %}

### Key fields and options

* **Device Type**: Sync and import assets based on their specific type.
* **Device Configuration**: Track devices as "Company Owned" or "Company Managed."
* **Asset Panda Management**: Manage synced devices within Asset Panda for real-time updates and consistency.

***

## Set up Microsoft Intune 

### Register a new application in Azure

1. In a web browser, go to the [**Azure Portal**](https://portal.azure.com/).
2. Sign in using your **Azure administrator** credentials.
3. In the search bar, enter **App Registrations** and select it from the results.
4. Click **New Registration**.
5. Enter a name for your application (for example, `Intune Integration`).
6. Under **Supported account types**, select **Accounts in this organizational directory only (Single tenant)**.
7. Click **Register** to create the application.

***

### Retrieve required IDs <a href="#retrieve-req-id" id="retrieve-req-id"></a>

1. After registration, go to the **Application Overview** page.
2. Copy the following values for later use:
   * **Application (Client) ID**
   * **Directory (Tenant) ID**
   * **Object ID**&#x20;

***

### Generate the client secret <a href="#client-secret" id="client-secret"></a>

1. In the navigation pane, select **Certificates & Secrets**.
2. Under **Client secrets**, click **New client secret**.
3. In the **Description** field, enter a name (for example, `Intune Secret`).
4. Under **Expires**, select a validity period (for example, 6 months or 1 year).
5. Click **Add** to generate the client secret.
6. Copy the **Value** (not the Secret ID).

{% hint style="danger" %}
The secret **value** is only displayed once. Store it safely for later use.
{% endhint %}

***

### Assign API permissions in Azure <a href="#api-permissions" id="api-permissions"></a>

To allow integration with Intune, the application needs API permissions.

1. In a web browser, go to the [**Azure Portal**](https://portal.azure.com/).
2. In the navigation pane, select **API Permissions**. The default **User.Read** permission should already be listed.
3. Click **Add a permission**.
4. In the **Request API permissions** window, select **Microsoft Graph**.
5. Click **Application Permissions**.
6. Expand **DeviceManagementManagedDevices** and select:
   * `User.Read.All`
   * `Group.Read.All`
   * `DeviceManagementManagedDevices.PrivilegedOperations.All`
   * `DeviceManagementManagedDevices.ReadWrite.All`
7. Expand **DeviceManagementApps** and select:
   * `DeviceManagementApps.Read.All`
8. Click **Add Permissions**.

***

### Grant Admin consent <a href="#admin-consent" id="admin-consent"></a>

1. On the **API Permissions** page, click **Grant admin consent for \<your tenant name>**. A confirmation message is displayed. Click **Yes**.
2. Ensure that the **Status** column for all permissions shows **Granted**.

The following details are required when setting up Asset Panda integration with Microsoft Intune:

* **Application (Client) ID**: Used as **Client ID** in Asset Panda.
* **Directory (Tenant) ID**: Used as **Tenant ID** in Asset Panda.
* **Object ID**: Used as **Application Object ID** in Asset Panda.
* **Client Secret (Value)**: Used as **Client Secret** in Asset Panda.

***

## Set up the Microsoft Intune integration in Asset Panda Pro

1. Log into Asset Panda Pro with an administrator account
2. Navigate to <img src="/files/dLHka5YWbUR3zisHLua6" alt="Settings icon" data-size="line"> **Settings** > **Account Management**.
3. Expand the appropriate account and module.
4. Click **Manage** in the **Integrations** card.
5. Select **Integrations Store**.
6. In the **Microsoft Intune** tile, click **Add**. The **Integrations in this module** tab is displayed.
7. In the **Microsoft Intune** tile, click **Configure**.
8. Enter the required credentials that were copied when you set up Microsoft Intune:
   * Client ID
   * Client Secret
   * Application Object ID
   * Tenant ID
9. Click **Test and Save Connection** to verify authentication.
10. Click **Continue with mapping**.
11. Provide a **Mapping Name.**
12. Select the relevant **Asset Panda collection** to receive the data.
13. Select the appropriate **external entity** from Microsoft Intune.
14. In the **Mapping** section, map the Asset Panda field from Microsoft Intune to the relevant column in your Asset Panda Pro collection. See [Configure data mapping and filtering](#configure-data-mapping-and-filtering).
15. Click **Save**.

***

## Configure data mapping and filtering

During integration, Microsoft Intune fields must be mapped to corresponding Asset Panda fields to ensure accurate data synchronization. Proper mapping prevents duplication and ensures that device records are updated correctly within Asset Panda.

#### **Unique Identifiers**

A unique identifier is a field that remains constant and is distinct for each record, ensuring accurate data syncing and preventing duplicates between Microsoft Intune and Asset Panda. Common examples include Intune Device ID or Serial Number, depending on the type of data being mapped. For example:

* Use **Intune Device ID** for most environments, as it is system-assigned and consistent.
* Use **Serial Number** if your organization tracks it as a unique field in Asset Panda and it is reliably populated.

{% hint style="warning" %}
Do not use fields like Device Name, User Email, or Compliance Status, because they can change over time or may not be unique, leading to sync errors.
{% endhint %}

{% hint style="info" %}
Setting up an automation ensures data stays up to date by syncing records at scheduled intervals.
{% endhint %}

### Microsoft Intune fields <a href="#mapping-guide" id="mapping-guide"></a>

<table><thead><tr><th width="196.60546875">Field Name</th><th>Description</th><th>Mapping &#x26; Filtering Guidance</th></tr></thead><tbody><tr><td>Intune Device ID</td><td>A unique, system-assigned identifier for each Intune-managed device.</td><td>Recommended as the Unique Identifier for matching records.</td></tr><tr><td>Serial Number</td><td>Manufacturer-assigned serial number of the device.</td><td>Can be used as a Unique Identifier if consistently populated and marked unique in Asset Panda.</td></tr><tr><td>IMEI</td><td>Identifier for mobile/cellular devices.</td><td>Optional; applicable mainly to mobile devices. May be blank for desktops.</td></tr><tr><td>MEID</td><td>Alternate mobile device ID.</td><td>Similar use as IMEI. Use only if populated reliably.</td></tr><tr><td>Wi-Fi MAC</td><td>MAC address of the device's wireless interface.</td><td>Optional; may not be consistently available or unique.</td></tr><tr><td>EAS Device ID</td><td>Exchange ActiveSync identifier.</td><td>Typically used in Exchange environments only.</td></tr><tr><td>Device Name</td><td>User-assigned or system-generated device name.</td><td>Not suitable as a Unique Identifier. May change over time.</td></tr><tr><td>Primary User Name</td><td>Username of the device’s primary user.</td><td>Useful for reference; not for identity matching.</td></tr><tr><td>Primary User Email</td><td>Email of the device’s primary user.</td><td>Use for reporting; avoid using as a Unique Identifier.</td></tr><tr><td>User Display Name</td><td>Full name of the assigned user.</td><td>Display-only value. Not unique or stable.</td></tr><tr><td>User Principal Name (UPN)</td><td>Azure AD login name (e.g., user@domain.com).</td><td>Good for user tracking. Not unique to the device.</td></tr><tr><td>User ID</td><td>Azure AD object ID of the user.</td><td>Tied to the user, not the device. Avoid for device-level identity.</td></tr><tr><td>Phone Number</td><td>Phone number linked to the device.</td><td>Often blank or reused. Not reliable for matching.</td></tr><tr><td>Ownership</td><td>Indicates if device is corporate or personal.</td><td>Use for filtering by ownership type.</td></tr><tr><td>Device Manufacturer</td><td>Brand/vendor of the hardware (e.g., Apple, Dell).</td><td>Use for categorization or filtering. Not unique.</td></tr><tr><td>Model</td><td>Device model (e.g., iPhone 13, Dell XPS).</td><td>Useful for classification. Not recommended for identity matching.</td></tr><tr><td>OS / OS Version</td><td>Operating system and version installed.</td><td>Use for grouping or reporting. Not a unique value.</td></tr><tr><td>Compliance</td><td>Device compliance status based on Intune policies.</td><td>Use for filtering compliant vs non-compliant devices.</td></tr><tr><td>Category</td><td>Custom label defined in Intune.</td><td>Optional metadata; use as needed for filtering.</td></tr><tr><td>Device Enrollment Type</td><td>Method used for enrollment (e.g., manual, automatic).</td><td>Use for filtering enrollment method.</td></tr><tr><td>Device Registration State</td><td>Registration status in Entra ID.</td><td>Informational. Do not use for identity.</td></tr><tr><td>Management Agent</td><td>Agent type used to manage the device.</td><td>Use for internal classification.</td></tr><tr><td>Microsoft Entra Registered</td><td>Indicates if device is registered in Microsoft Entra ID.</td><td>Boolean value; not suitable as Unique Identifier.</td></tr><tr><td>Partner Threat State</td><td>Threat level reported from partner solutions.</td><td>Use for security reporting; not identity.</td></tr><tr><td>Encrypted / Supervised / Jailbroken</td><td>Security posture indicators.</td><td>Use for compliance visibility. Not identity fields.</td></tr><tr><td>EAS Activation Date</td><td>Date when Exchange ActiveSync was activated.</td><td>Timestamp field. Not stable.</td></tr><tr><td>Free / Total Storage Space</td><td>Storage metrics in bytes.</td><td>Volatile fields. Use for reporting only.</td></tr><tr><td>Last Successful Sync Date</td><td>Timestamp of last successful sync with Intune.</td><td>Changing value. Do not use for matching.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://prohelp.assetpanda.com/integrations-store/device-management/microsoft-intune-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.